3.1 Field of the Invention
The exemplary, illustrative, technology herein relates to systems, software, and methods for supporting authentication, authorization, and policy compliance assurance of a device accessing various participating network services accessible without using a VPN for a device and user based on the establishment of a VPN tunnel between a device and a VPN concentrator. The technology herein has applications in the areas of network security, single-sign on (“SSO”) support for network service access, e-commerce, and enterprise device policy compliance enforcement.
3.2 The Related Art
The Security Assertion Markup Language (SAML) protocol is an XML-based open standard data format for exchanging authentication and authorization data between parties, such as between an identity provider (“IDP”) and a service provider. The SAML specification defines three roles: the principal (e.g., a user running an application on a device), the identity provider, and the service provider. Generally, the principal first requests a service from the service provider. The service provider then requests and obtains an assertion from the identity provider, which may request information from the principal, such as a user name and password, in order to authenticate the principal to provide the assertion. On the basis of this assertion, the service provider makes an access control decision (i.e. determines whether or not to perform the requested services for the principal).
SAML specifies the assertions between the three parties: in particular, the messages that assert identity that are passed from the identity provider to the service provider. In SAML, one identity provider may provide SAML assertions to many service providers. Similarly, one service provider may rely on and trust assertions from many identity providers. SAML, however, does not specify the method of authentication to be used by an identity provider; the identity provider may make use of a username and password, or some other form of authentication, such as multi-factor authentication. Directory services, that allow users to gain access with a user name and password, are typical sources of authentication tokens (e.g., passwords).
Thus, SAML authentication does not provide for policy enforcement of enterprise policies at the identity provider or the service provider. There are not effective mechanisms for policy delivery, enforcement, and reporting when using third party identity and service providers.
The present invention meets these and other needs.